Monthly Security Patching for Fully-Managed Windows 2012+ servers - January 19, 2022
Posted by David Cunningham on 19 January 2022 08:32 PM
Purpose of Work:|
January's Patch Tuesday was last week, and the released security updates were roughly double the amount in previous January patch Tuesdays.
Unfortunately, this seems to have come at the expense of quality control: the initial releases for these patches caused various issues, including boot looping domain controllers, Hyper-V servers that couldn't run their workload, ReFS volumes that aren't detected, and Microsoft L2VPN clients that would not work with existing tunnels.
It does look like Microsoft has followed up with some out-of-band patches for each of these issues on every OS, so we'll be applying the patches, and the fixes for those patches side-by-side on our managed environment today.
Here's a quick summary of updates:
First up, we have a wormable RCE flaw leveraging the HTTP stack on Server 2019 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907 ). Wormable flaws in general have the most urgent fix requirements. Luckily, this only affects Server 2022 by default, and we'd gone ahead and disabled the functionality allowing for this vulnerability on all 2022 servers we manage, as of the 11th. Today, we'll patch this up with a more permanent fix.
Secondly, a few exchange RCE vulnerabilities for all supported versions ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846 ). This seems to require adjacency within the same network, and as such, the risk isn't as high as it could be. We'll still be patching this out tonight on our managed exchange servers. During that, you'll be unable to reach us via email, but the helpdesk app and phones will still work.
Third of all, there's an EOP vulnerability affecting all versions of active directory ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857 ). This is a high priority patch, that unfortunately was breaking domain controllers until about 36 hours ago. Microsoft's site doesn't list it as publicly known, so tonight's patching should still be timely.
There are plenty more flaws this January, but rather than sum up a big sample of them, we'll just get started on deploying them shortly.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:00PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.